For the second year in a row Threat Stack has achieved Type 2 SOC 2 Compliance in Security and Availability with zero exceptions. We’re justifiably proud of this accomplishment, which underscores our ongoing commitment to rigorous security standards and our ability to maintain them in our company’s technology, processes, and personnel along with the highest level of security and privacy for our customers.

To an outsider, there’s no apparent difference between our 2017 and 2018 results. Threat Stack is Type 2 SOC 2 compliant in Security and Availability. CHECK AND CHECK. But under the hood, there’s a lot more to the story. The differences between the processes we used in 2017 and the way we optimized these in 2018 are significant, as are the differences in the personnel who took part in the two SOC 2 initiatives. So in this post, we’re going to talk about some of the lessons we learned and the changes we made in order to achieve the same results in an even more rigorous and efficient manner.

The People

A huge differentiation between 2017 and 2018 centers on the people we used and the way we used them. In 2017 we took one of our key employees and tied them up for hundreds of hours building SOC 2 criteria into our processes and communicating with our auditors to put us in a position to undergo the 2017 examination. While this was an amazingly comprehensive job completed to very high standards, using one person to collect so much evidence from across the company and evolving those processes over time was neither maintainable nor scalable. Although the organization took great pride in the successful 2017 SOC 2 results, we concluded as a team that a more distributed, company-wide approach would be needed in future years. So in 2018, Threat Stack built out a dedicated governance, risk, and compliance (GRC) function inside our Security team, leveraging the Engineering, Operations, and Platform Security teams to support audits.

Information was solicited from all key stakeholders, across all departments, using an auditing process that was much more distributed and efficient that it had been in 2017 — and it also freed up our CSO so he could focus on other priorities. The efficiency of the auditing process was not only the result of incorporating strategically selected stakeholders into the process, but also of using different tools to help us automate the process and conduct an internal company examination prior to the external examination.

The Internal Examination Process and Tools

In preparation for the actual examination, we wanted to conduct a rehearsal or dry run to ensure that our processes were working effectively and that we could provide proof of evidence efficiently. One of the elements of this dry run was determining what tools we could build or leverage to achieve this efficiency.

We executed the dry run and during the process, we indeed found tooling that helped us to quickly and accurately identify and centrally store proofs of evidence that would be required by the examination. We used Threat Stack custom-built tools and scripts to gather information, and experimented with a third-party tool to document and manage the gathered evidence. Ultimately, one of the lessons we learned was that such a documentation tool did not sufficiently improve our internal audit process, given our scale, and instead created friction across stakeholders internally as they had to learn a new system and associated procedures.

This dry run exercise helped us continue to improve our internal processes before the official examination took place (conducted by Schellman & Company, LLC). The value of the dry run became obvious in a number of ways. While our internal examination took approximately a month to complete, the official examination only required auditors to be present onsite for three days. (In fact, we actually cut down on the time that the auditors needed to be onsite because our dry run had prepared us so well to quickly identify and pull evidence that the auditors required.)

When the external auditors were onsite, all employees were prepared to reproduce artifacts similar to the ones that they had already prepared or created for the internal examination. This allowed employees to feel confident when answering the auditors’ questions and explaining the evidence they produced. Having completed a dry run, everyone in the process knew what to expect, and there were truly no surprises when we dealt with the auditors.